Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

addslashes for database sanatization


Mr_Cheese's Avatar
0 1

for those of you that may use addslashes() in php to sanatize user input before being entered into the database… i may have some interesting news for you.

many use addslashes to make sure values can be added safely into a database.

some of you may not be aware that addslashes isnt "secure". many developers prefer mysql_escape_string() isntead as this is a much more effective and secure way of sanatizing data.

the other day a couple of our clients had problems saving information. this was due to them using an old system that used addslashes() to enter information itno the database.

I know that upside down question marks escape addslashes() but was unaware of other charachters that may do so.

We discovered that some charachters produced by microsoft word 2008 actually escaped addslashes aswell. One of the charachters was the comma. This is because Microsoft Word 2008 uses a special charachter for comma's instead of the standard , - Microsoft word does this because the special charachter they use, looks 0.1% better than the standard comma.

The client was simply copying/pasting information from word into a textbox which thus tried entering the special charachter into the database.

And as you probably know, if you can escape addslashes(), it means you can SQL Inject.

So a lesson learnt… deffinatly use mysql_escape_string instead of addslashes. mysql_escape_string was able to sanatize the special charachters.

Thought this was worth mentioning incase others were only aware of the upside down ? exploit, you now have other charachters to play around with.

Useful links: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string http://uk3.php.net/addslashes http://uk3.php.net/mysql_escape_string


ghost's Avatar
0 0

Interesting post Mr_Cheese, thanks for sharing the info.


Uber0n's Avatar
Member
0 0

Whoa :o now I have something to play with on my own server tonight ^^

Thanks a lot, Cheese!


korg's Avatar
Admin from hell
0 0

Nice update Cheese, Something to check and watch out for. Thanks.


ghost's Avatar
0 0

mysql_escape_string or mysql_real_escape_string are definitely the better way to go. they add slashes to a wider range of characters. in the way of stripping \n and \r, it can also prevent things such as CRLF injection, probably other things too.